Flaw in New Visa Cards Would Let Hackers Steal $1M Per Card

New submitter biomass writes with news about a flaw in Visa's contactless card that lets anyone charge $999,999 to it. According to researchers at Newcastle University in the UK, the card system developed by VISA for use in the United Kingdom fails to recognize transactions made in non-UK foreign currencies and can therefore be tricked into approving any transaction up to 999,999.99. "With just a mobile phone we created a POS terminal that could read a card through a wallet," Martin Emms, lead researcher of the project that uncovered the flaw, noted in a statement about the findings. "All the checks are carried out on the card rather than the terminal so at the point of transaction, there is nothing to raise suspicions. By pre-setting the amount you want to transfer, you can bump your mobile against someone's pocket or swipe your phone over a wallet left on a table and approve a transaction."

Re:Well... no.

fails to recognize transactions made in non-UK foreign currencies and can therefore be tricked into approving any transaction up to 999,999.99

Motherfucker, you can't read a fucking sentence into the SUMMARY!?

Re:Well... no.

[bluemonq]

Even if the transaction is 999,999.00 euros, the point remains: in all likelihood that transaction would be over the limit of 99.999% of all credit cards out there.

Also:

"Since the transaction is done offline without going through a retailer’s point-of-sale system, no other security checks are done."

How do they get at the money, however much it is, without passing it through the payment network at one point or another? It's not like there's only one check done when the card is tapped.

Re: Good

Woven steel passport wallet here - dump it on the x-ray belt regularly in jacket and all sorts. Been asked to walk thru with passport/boarding pass on odd occassion but just slip them out of metal sleeve for that. Wallet itself has never been a burden.

Re:Wouldn't the target phone need to be turned on

[Chocolate+Teapot]

No. You didn't read TFA. The target is a contactless credit/debit card carried in the victim's wallet. The phone is used by the thief, who installs basic point-of-sale software on and then bumps it against a wallet in an attempt to relieve the victim of funds. The card is a passive device which is never 'turned off'.

Re:Well... no.

[sumdumass]

A good majority of small transactions are never caught or challenged. Credit card thieves figured this out a long time ago when card skimmers and the internet came about. People don't really pay attention like they should.

Re:Well... no.

heh, I explained the exact same thing to someone on Twitter.

You would need either:
a) A portable POS with a Merchant account or
b) A portable skimmer and an accomplice in the same store from which to rip off that could make such a transaction.
c) An accomplice working for the store from which to rip off to intentionally make such charges happen.

It comes back to you're not buying a million dollars in hotdogs. At best a would-be thief could probably rip off some fast food, coffee and 7-11 type stores in broad daylight. The attack in the article would only rip off people using offline PoS, which is basically nobody except Taxi drivers and some food-cart type of kiosks.

The relay attack is more sophisticated and basically records and plays back both ends of the NFC transaction. One person picks up some stuff, and the accomplice gets in another line somewhere near the target (standing behind someone else in another checkout line) when the recording end senses a NFC card, the person with the playback end readies their "tap to pay" phone and starts the transaction, which is relayed to the recording phone, and conducts relays all the data across. Then the thieves make their get away, and the victim notices two charges from their grocery store on their bill and doesn't think too much of it, or disputes it, but would need the bank to produce the receipt to prove they didn't make the other purchase.

Or a card owner could knowingly do this, to rip off the card company. People do this all the time with online payments. The risk however is the cashier recognizing you the next time, because I assure you that any business ripped off will blame it on the cashier not paying attention and thus "retrain" everyone to look for you and have you escorted off the premises.

At the end of the day, the Apple Pay solution starts looking more attractive than ever.

Authorisation is only half the process....

[mysqlbytes]

The poster obviously doesn't understand how credit cards word. Sure, we can do an offline transaction for whatever value we want, provided the merchant doesn't fall into any of the various restricted merchant category codes, like gambling companies and so forth. Even then, you've got an offline authorisation for almost a million dollars... you think you've stolen a million dollars? Nope! Firstly the point of sale system must upload a file containing the authorisations it's performed. The bank takes this, and generally a night, through a process called settlement, moves the appropriate funds around. A lot of the settlement processes are still performed with ALOT of human supervision. For one company I used to work at, which processed billions in credit card payments every year, there were 3 hardy engineers, ensuring the process went off without a hitch. Catching large or fraudulent transaction happens at this stage too. Most cards have an upper transaction value also, so when submitting a file containing a value over this, the entire batch would be rejected, and an engineer would have to regenerate a new file, minus the transactions and submit. The file submitter would get an automated report of what transactions failed to settle correctly, and from there they could investigate fraud...